Supported Cipher Suites
Cipher suites are cipher combinations that are used to negotiate security settings during the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) handshake.
Make sure you verify the correct cipher settings with your security team, and update your eCDN zone cipher suite settings based on your security requirements.
The following SCAPI eCDN endpoints retrieve and restrict the available TLS cipher suites that browsers and devices are allowed to use when accessing a customer’s website/hostname that is served by a specified zone:
TLS 1.2 or later is recommended for all connections.
Modern cipher suites offer the best security and performance by limiting your clients to modern devices and browsers. All modern cipher suites use forward secrecy encryption and support authenticated encryption (AEAD).
The following Modern cipher suites are supported:
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-CHACHA20-POLY1305ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384
Compatible cipher suites provide broader compatibility with support for additional cipher suites:
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-CHACHA20-POLY1305ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-SHA256ECDHE-RSA-AES128-SHA256ECDHE-ECDSA-AES256-SHA384ECDHE-RSA-AES256-SHA384
Legacy cipher suites include all cipher suites that our eCDN partners support. By default, these legacy cipher suites are selected, because this provides the broadest compatibility for customer implementations, although it includes some weaker ciphers.
The getCipherSuites
endpoint returns a cipherSuiteType of Legacy and an empty cipher suite array, which means that the following default legacy cipher suites are used:
AEAD-AES128-GCM-SHA256AEAD-AES256-GCM-SHA384AEAD-CHACHA20-POLY1305-SHA256ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-AES128-GCM-SHA256ECDHE-RSA-CHACHA20-POLY1305ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES128-SHA256ECDHE-RSA-AES128-SHA256ECDHE-ECDSA-AES256-SHA384ECDHE-RSA-AES256-SHA384ECDHE-ECDSA-AES128-SHAECDHE-RSA-AES128-SHAAES128-GCM-SHA256AES128-SHA256AES128-SHAECDHE-RSA-AES256-SHAAES256-GCM-SHA384AES256-SHA256AES256-SHADES-CBC3-SHA
To combine or specify a set of cipher suites that you want to allow, use the updateCipherSuites endpoint to specify the custom cipher suites that you want to support and set cipherSuiteType to Custom. When you set cipherSuiteType to Custom, you must specify a minimum of 5 valid ciphers.
If you require TLS 1.3 for HTTPS connections, you must first enable TLS 1.3 connections to be accepted in your zone using the Business Manager crypto settings of the zone or using the updateSecuritySettings endpoint. This automatically enables the following ciphers:
AEAD-AES128-GCM-SHA256(IANA name:TLS_AES_128_GCM_SHA256)AEAD-AES256-GCM-SHA384(IANA name:TLS_AES_256_GCM_SHA384)AEAD-CHACHA20-POLY1305-SHA256(IANA name:TLS_CHACHA20_POLY1305_SHA256)
| OpenSSL Cipher Name | IANA Name | Available in Cipher Suite Type | Minimum TLS Protocol Version |
|---|---|---|---|
| ECDHE-ECDSA-AES128-GCM-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-AES128-GCM-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-CHACHA20-POLY1305 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-ECDSA-AES128-SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | Compatible, Legacy | TLS 1.2 |
| ECDHE-ECDSA-AES128-SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | Legacy | TLS 1.0 |
| ECDHE-RSA-AES128-SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-AES128-SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | Legacy | TLS 1.0 |
| AES128-GCM-SHA256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | Legacy | TLS 1.2 |
| AES128-SHA256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | Legacy | TLS 1.2 |
| AES128-SHA | TLS_RSA_WITH_AES_128_CBC_SHA | Legacy | TLS 1.0 |
| ECDHE-ECDSA-AES256-GCM-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-ECDSA-AES256-SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-AES256-GCM-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Modern, Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-AES256-SHA384 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | Compatible, Legacy | TLS 1.2 |
| ECDHE-RSA-AES256-SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Legacy | TLS 1.0 |
| AES256-GCM-SHA384 | TLS_RSA_WITH_AES_256_GCM_SHA384 | Legacy | TLS 1.2 |
| AES256-SHA256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | Legacy | TLS 1.2 |
| AES256-SHA | TLS_RSA_WITH_AES_256_CBC_SHA | Legacy | TLS 1.0 |
| DES-CBC3-SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | Legacy | TLS 1.0 |
| AEAD-AES128-GCM-SHA256 | TLS_AES_128_GCM_SHA256 | Custom | TLS 1.3 |
| AEAD-AES256-GCM-SHA384 | TLS_AES_256_GCM_SHA384 | Custom | TLS 1.3 |
| AEAD-CHACHA20-POLY1305-SHA256 | TLS_CHACHA20_POLY1305_SHA256 | Custom | TLS 1.3 |
- What cipher suites are needed for Payment Card Industry Data Security Standard (PCI DSS) compliance?
- The following cipher suites are recommended for PCI DSS compliance. Check with your security team to verify compliance with your site's security requirements.
ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-CHACHA20-POLY1305ECDHE-RSA-CHACHA20-POLY1305
- The following cipher suites are recommended for PCI DSS compliance. Check with your security team to verify compliance with your site's security requirements.
- How can I disable weak cipher suites listed in the SSL Labs weak ciphers report?
- To disable weak ciphers listed in a Qualys SSL Labs report:
- Use the previous table to get the corresponding cipher suite information.
- Identify which cipher suites you want to allow.
- Use the updateCipherSuites endpoint to specify the custom cipher suites that you want to update and set
cipherSuiteTypetoCustomfor the applicable zone.
- To disable weak ciphers listed in a Qualys SSL Labs report:
- What is the order in which cipher suites are used?
- ECDSA cipher suites are prioritized over RSA, and then cipher suites are condered in the order they were set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first in the order they were set. Then the RSA ciphers are presented in the order they were set.
- Why am I getting the
ERR_SSL_VERSION_OR_CIPHER_MISMATCHcipher suite mismatch error when visiting my site?- Ensure that the certificate is compatible with the chosen cipher suites for your zone. For example, if you upload an RSA certificate, your cipher suite selection cannot specify support for only ECDSA certificates.